From dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 Mon Sep 17 00:00:00 2001 From: dormando Date: Tue, 27 Feb 2018 10:50:45 -0800 Subject: [PATCH] disable UDP port by default As reported, UDP amplification attacks have started to use insecure internet-exposed memcached instances. UDP used to be a lot more popular as a transport for memcached many years ago, but I'm not aware of many recent users. Ten years ago, the TCP connection overhead from many clients was relatively high (dozens or hundreds per client server), but these days many clients are batched, or user fewer processes, or simply anre't worried about it. While changing the default to listen on localhost only would also help, the true culprit is UDP. There are many more use cases for using memcached over the network than there are for using the UDP protocol. --- memcached.c | 6 ++---- t/issue_67.t | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/memcached.c b/memcached.c index 88a5f2ebe9..7178666e25 100644 --- a/memcached.c +++ b/memcached.c @@ -222,7 +222,7 @@ static void settings_init(void) { settings.use_cas = true; settings.access = 0700; settings.port = 11211; - settings.udpport = 11211; + settings.udpport = 0; /* By default this string should be NULL for getaddrinfo() */ settings.inter = NULL; settings.maxbytes = 64 * 1024 * 1024; /* default is 64MB */ @@ -7479,9 +7479,7 @@ int main (int argc, char **argv) { } } - if (tcp_specified && settings.port != 0 && !udp_specified) { - settings.udpport = settings.port; - } else if (udp_specified && settings.udpport != 0 && !tcp_specified) { + if (udp_specified && settings.udpport != 0 && !tcp_specified) { settings.port = settings.udpport; } diff --git a/t/issue_67.t b/t/issue_67.t index 69c869f4ce..b2d374fa57 100644 --- a/t/issue_67.t +++ b/t/issue_67.t @@ -77,11 +77,11 @@ sub when { # Disabling the defaults since it conflicts with a running instance. # when('no arguments', '', 11211, 11211); -when('specifying tcp port', '-p 11212', 11212, 11212); +when('specifying tcp port', '-p 11212', 11212, -1); when('specifying udp port', '-U 11222', 11222, 11222); when('specifying tcp ephemeral port', '-p -1', 0, 0); when('specifying udp ephemeral port', '-U -1', 0, 0); -when('tcp port disabled', '-p 0', -1, 11211); +when('tcp port disabled', '-p 0', -1, -1); when('udp port disabled', '-U 0', 11211, -1); when('specifying tcp and udp ports', '-p 11232 -U 11233', 11232, 11233); when('specifying tcp and disabling udp', '-p 11242 -U 0', 11242, -1);